CVE-2022-0017 An improper link resolution vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM priva >

CVE-2022-0017 An improper link resolution vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM priva

>

On Windows, if the app is configured to access files from a remote network, an attacker on the local network could cause the app to access a malicious file (e.g. a virus or a trojan horse) in the remote network. This type of attack is known as 'link following'. In order to exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system.  The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access the file on the attacker's system. If the attacker has set up a specially crafted IP address on the local network interface of the victim's system, then the victim's system will try to access the file on the attacker's system. In this case, the attacker sets up a 'malicious' or 'poisoned' IP address. As mentioned, the attacker can try to launch a specially crafted URL to the victim's system. For example, the attacker could launch a URL such as the following: http://192.168.1.1/script>/script> When the victim's system tries to access the URL above, the system will try to access the file on the attacker's system. Therefore, an attacker can launch a specially crafted URL

Microsoft Windows CVE-2022-0018

On Windows, if the app is configured to access files from a remote network, an attacker on the local network could cause the app to access a malicious file (e.g. a virus or a trojan horse) in the remote network. This type of attack is known as 'link following'. In order to exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system.  The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access the file on the attacker's system. If the attacker has set up a specially crafted IP address on

Scenario 3: A remote code execution vulnerability exists in the app's web server .

In scenario 3, a remote code execution vulnerability exists in the app's web server. The app allows an attacker to upload a malicious file (e.g. a virus or a trojan horse) to the remote web server and then execute it. This type of attack is known as 'server-side request forgery'. To exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system.  The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access and execute the file on the attacker's system. In this case, the attacker sets up a 'malicious' or 'poisoned' IP address on their local network interface of the victim's system. As mentioned, the attacker can try to launch a specially crafted URL to the victim's system. For example, an attacker could launch a URL such as one of these: http://192.168.1.1/script>/script> http://192.168.1.1:8080/Script>/Script>

Exploit proof of concept code

It should be noted that this exploit is not able to execute arbitrary code, but it will cause the victim's system to access a file on the attacker's system.
Below, I have included code that could be used as an exploit proof of concept.
The exploit proof of concept below will launch a URL (http://192.168.1.1/script>/script>), and if the URL is 'poisoned' then the victim's system will try to access the file on the attacker's system. This can potentially lead to remote code execution if one of those files happens to be a malicious executable payload that is waiting for a connection from a vulnerable device, like in RDP or SSH.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe